Mobile Menu

Search

Breadcrumb

Highest Externally Validated Security

Since its founding, Janrain has been a leader in authenticating individuals and securing their digital identities in the cloud. In our early days, we co-founded the OpenID foundation and were key contributors to the code that launched the customer identity and access management industry. Today, having hosted personal data for our clients for years longer than any of our direct competitors, our focus on protecting the digital identities we store for our clients remains at the core of what we do.

Highest externally validated data protections of any CIAM vendor

We understand that our clients' success and, consequently, our own, depends on our commitment to maintaining the security, confidentiality, integrity, and availability of the hosted digital identities of our clients' employees, customers, and third parties whom our clients have authorized to access their online properties or managed devices. That's why our global platform architecture uniquely features field level scoped data access, complete database encryption of data at rest, leading service availability and data reliability, distributed backups, and disaster recovery capabilities second to none. It is why Janrain leads the competition in accredited third party certifications.

Industry Security Alerts

Facebook Sept. 2018 security breach

Today, Facebook confirmed a breach impacting approximately 90 million user accounts. Janrain is not affected by this data breach, however, any users that use their Facebook login for other services could be if any active sessions are still open.

Out of an abundance of caution, Janrain has reset all Facebook authenticated sessions, requiring all users to log back into any of the services authenticated by Facebook.

Drupal v 7 and 8 Security Releases

Drupal has recently announced security updates for Drupal 7 and 8. Janrain's Drupal module does not contain code subject to the vulnerability. However, Janrain clients who have chosen to implement Drupal should already be aware of how important it is to keep Drupal up to date in order to protect their customer data. Janrain is very serious about protecting our customer data and consistently monitors for security threats. We are sending out this courtesy security notification advising you to ensure that you have applied the recent Drupal updates. More information can be seen here: https://www.drupal.org/psa-2018-001

04/03/18

Spectre and Meltdown

The Janrain Identity Cloud® runs on AWS; AWS updates protect the underlying infrastructure. AWS began applying patches for the the Spectre and Meltdown Vulnerabilities (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) on 2017-01-03. AWS’s security bulletin can be seen here: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/ Janrain monitored AWS’s rollout of operating system patches for all of Janrain’s client databases.

01/05/18

Apache Struts

Please be advised that the Janrain Identity Cloud does not use Apache Struts in any part of our Identity Cloud. Apache Struts have become a focus for the security industry due to the recently disclosed Equifax customer data breach, but have never been part of Janrain's architecture.

Yahoo account data breach

This is a courtesy notification that today Yahoo confirmed that in 2013 more than 1 Billion of their user accounts were subjected to a data breach. Janrain is not affected by this data breach. Yahoo has alerted all affected users and further details are available from Yahoo atyahoo.com/security-update.

12/14/16

OAuth 2.0

A recent academic paper revived concerns about OAuth 2.0 implementation vulnerabilities that could cause mobile application accounts to be hijacked. All parties agree that the OAuth 2.0 protocol is secure. In addition, Janrain confirms that our implementation mechanisms ensure that the Janrain Identity Cloud is not subject to this vulnerability. If you have implementation-specific questions, please file a support ticket.

11/21/16

Yahoo account data breach

This is a courtesy notification that today Yahoo confirmed that in 2014 more than 500M of their user accounts were subjected to a data breach. Janrain is not affected by this data breach. Yahoo has alerted all affected users and further details are available from Yahoo atyahoo.com/security-update.

09/22/16

HTTPoxy

In light of the current HTTPoxy vulnerability, this is a courtesy security notification advising our clients who have deployed Drupal on their online properties to ensure they have applied all Drupal patches. Please note that the threat is to Drupal and not to Janrain. More information can be found here: https://httpoxy.org/ and https:// www.drupal.org/SA-CORE-2016-003.

07/22/16

ImageMagick

Janrain is not affected by the latest ImageMagick vulnerability. Policy files have been updated on all nodes to combat this threat. In addition, all uploaded files have "magic byte" checking performed; all images uploaded for processing will be checked whether they are new or existing images. Industry-recommended remediation was to do one or the other. Janrain is doing both.

05/25/16

DROWN

An international group of researchers unveiled a SSL vulnerability referred to as DROWN. At Janrain, we reviewed our architecture and confirmed we do not support any outdated versions of SSL; therefore, Janrain is not vulnerable to DROWN. For more information about DROWN and to check if other systems at your company may be at risk, please visit this site.

03/21/16

GLIBC

Janrain is not affected by the GLIBC vulnerability described in CVE-2015-7547. After the vulnerability was disclosed, our team reviewed the vulnerability with AWS Services, our cloud hosting provider. Further details from AWS can be found here.

02/23/16

POODLE SSL

Since POODLE affected SSLv3 specifically, we decided to reject all incoming traffic using SSLv3. If you currently use SSL v3, you will need to disable SSL v3 and only use TLS 1.0, 1.1 or 1.2. At this time, our remediation of the POODLE vulnerability has been completed.

01/05/15

BASH Unix Shell Script

Janrain has reviewed the BASH vulnerabilities CVE-2014-6271 and CVE-2014-7169 and due to the absence of a vulnerable implementation, we have determined there is no risk of exposure in the Janrain SaaS platform.

09/26/14

OpenSSL SSL/TLS MITM Vulnerability (CVE-2014-0224)

A minor vulnerability in the popular OpenSSL cryptographic software library used on many websites worldwide has been uncovered. This does not pose a security risk to Janrain clients, as it would only allow access to data if the SSL stream had already been compromised. Janrain has updated all production systems to resolve the exposure from this vulnerability. Our clients do not need to take any action. Learn more about the vulnerability here: http://www.openssl.org/news/secadv_20140605.txt.

Heartbleed

All Social Registration and Social Login endpoints have been patched against the Heartbleed vulnerability.

04/16/14

How we keep your customer identity data secure

Security monitoring, blocking and fraud protections

Janrain performs continuous monitoring of our production environments to monitor the state and health of the Janrain CIAM platform. Janrain has automatic monitoring and alerting and an on-call staff 24x7x365. Abnormalities trigger alerts to the NOC staff. Detailed Key Performance Indicator Metrics are gathered on uptime and availability for every service.

Brute force attacks (account take overs)

To protect against brute force attempts against user passwords, Janrain offers account locking functionality, where Janrain locks an account after a specific number of failed attempts from a user. This feature is completely customizable by the customer, so the customer determines when and how to block additional login attempts. In addition, Janrain offers CAPTCHA and SMS based authentication options that a customer may choose to implement as a step-up authentication option at any login attempt threshold.

Advanced persistent distributed attacks

Janrain has experience in successfully staving off distributed attacks and can block numerous sets of dynamic IPs spun up by malicious actors during an attack. Janrain proactively monitors for bots/malicious activity based on correlating dozens of custom metrics specific to login and registration.

IP-blocking and white listing

Janrain can block IP addresses (geoblocking) from specific countries or regions from registering and/or logging in on a per customer basis. Janrain can block specific lists of IP addresses (e.g., lists of known bad IP addresses and black hat associated IP addresses). Janrain can also whitelist IP addresses that are legitimate but exceptions to standard rules or erroneously added to blacklists.

Denial of service attacks

Janrain's ability to withstand DOS attacks was tested by an external third party penetration testing firm, Online business services. Bot mitigation strategies include rate limiting, to mitigate bot DoS attacks, reCAPTCHA to mitigate bots creating fake user profiles, and both client and server side validation to ensure that all field values are legitimate.

Trend monitoring

Janrain employs custom API monitoring on a per customer basis in order to establish trends in usage as well as to identify and block abnormal usage patterns. Janrain API monitoring, has proven to be successful to identify and mitigate malicious activity on behalf of the Janrain customers. Janrain values the uniqueness of all of their clients and can implement alerting and blocking rules which reflect the client's inherent trend differentiations. Adjusting a client's custom blocking rules is a very collaborative process between Janrain and the client. Different clients have different risk appetites and risk tolerances affecting trade-offs between blocking some legitimate traffic or assuming some costs of fraud. Advanced persistent attacks might involve multiple adjustments of the custom policy engine rules.

Intrusion detection

New account creation fraud protections

Janrain offers CAPTCHA and SMS based authentication options that a customer may choose to implement as a step-up authentication protection against scripted account creation attacks. Janrain proactively monitors for bots/malicious activity based on correlating dozens of custom metrics specific to login and registration as well as identifies anomalies specific to Janrain customer's unique traffic patterns.

Janrain Fraud Score

Janrain Fraud Score is an add-on to Janrain Identity Cloud and allows organizations to determine if user accounts registering on or logging into digital properties potentially pose a threat; for example if these accounts are known to have been compromised in the past, are known as scammers, or have shown otherwise harmful behavior. Janrain Fraud Score delivers a reputation score number for an identity in real-time, which can be used to make policy-based decisions about how to treat such identities during account registration, sign-in, or completion of high-value transactions. Accounts can then be blocked from access, partial restrictions might be applied, or additional authentication and identification might be requested.

The Janrain security management program

Please see Janrain's ISO 27001 AT-101 and clean SOC 2 Type 2 report for a detailed description of the Janrain security program information security management system (ISMS). An overview is presented below.

Information security management system

The ISMS at Janrain is defined by the Janrain ISMS Governance Policy and supporting ISMS Manual which are available to clients upon request. The information security management committee (ISMC) is responsible for ensuring that Janrain maintains conformity to the ISO 27001:2013 and ISO 27018:2014 (PII Protection in the cloud) standards through the implementation of policies and procedures defined within the ISMS.

All security policies and procedures are reviewed and approved for use on an annual basis, or more frequently as determined by risk. Risk assessment remediation can result in updates to policies and procedures to ensure they remain effective.

The effectiveness of Janrain's information security management system (ISMS) is measured by quarterly and annual metrics that accurately reflect the status of the implementation and operation of Janrain security systems and controls. All staff receive security and privacy training on hire and annually thereafter.

Access control

Is strictly controlled. Access is removed for changes in roles and employee departure. Access Reviews are performed quarterly. Access to production systems is controlled by VPN, SSH and multi-factor authentication.

Backups

Customer data is always simultaneously written to encrypted databases in multiple data centers (hot/hot backups) in separate availability zones. Point-in-time encrypted backups are taken nightly, stored in multiple databases across availability zones and are kept current with incremental backups taken every 300s.

Business continuity

Business continuity is tested and policies are reviewed on an annual basis. Due to Janrain's high availability deployment model across all available AZs per region, invoking business continuity would require a regional disaster simultaneously impacting all of the availability zones in a region plus each of their backup utilities. There is no single point of failure. Using the US East AZ as an example, there would have to be 30-60 simultaneous failures over separate data centers to invoke business continuity. Please note that we have also tested and have runbooks to transfer customers from one region to another in the exceptionally unlikely event of an entire region of multiple separate data centers being lost simultaneously.

"Security and privacy by design" is one of Janrain's core tenets. Security and privacy is included throughout the software development lifecycle

Firewalls and zero trust

In addition to an industry standard firewalls for all data entering the internal data network from any external source, Janrain uses security groups which act as virtual firewalls to control inbound and outbound traffic. Security groups provide a network-based blocking mechanism that firewalls also provide. Security groups, however, are easier to manage. Janrain also has architected a zero-trust VPC model to further protect your data. Zero trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust. With zero trust there is no default trust for any entity–including users, devices, applications, and packets–regardless of what it is and its location on or relative to the corporate network. Please see Janrain's high level infrastructure document.

Field level data scoped access

Janrain has specifically designed scoped access authorization directly into its CIAM platform. Janrain's uniquely designed and customizable scoped access functionality ensures that the sensitive data that a registered user submits is only used for the purpose for which it was submitted. Janrain's CIAM platform enables this scoped access at the field level for however many profile databases you choose to set up. Scoped access provides organizations with the ability to grant granular, field-level access rights for each of the client credentials used when querying a user record. This is critical in reducing the risk of customer data exposure. Scoped access provides an unparalleled ability to grant exactly the type of data access to other systems in an organization's websites, mobile applications, third-party applications, platforms and services that make up a marketing tech stack. It can even be applied to digital agencies who might require select pieces of user data to run a campaign on a company's behalf. Janrain clients also have the option of having different scoped access for different sites that all write to the same database.

Encryption

All data in transit is encrypted. Janrain leverages encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances. All data in transit utilizes latest SSL encryption standards 2048/256 bit keys and TLS1.1 or greater security protocols. Janrain offers full disk encryption for data at rest and further protects data by ensuring that every access point (UI/APIs for tool, site, application, agency etc ) is scoped for least privilege to ensure that only necessary data fields can be accessed. All multi-availability zones (up to 10 separate data centers each) data replicas and backups are also encrypted.

Other data protections

Abstraction layer

Janrain's services provide a consistent abstraction layer on top of access to the data. The underlying data stores are designed for consistency, reliability, data privacy and optimized for performance.

Other data protections

OAuth 2.0 compliant

Secure data

Each Janrain deployment and associated data is isolated in its own logically discrete production environment. Multitenant security controls, including unique session tokens, configurable session timeout values, and password policies are applied to prevent unauthorized access.

Scoped dashboard access

Dashboard access is enforced via roles. 2FA can be configured for client admins. Client admins control data access to their Janrain application.

Schema validation

Janrain validates customer schemas at deployment time to ensure sensitive data elements such as passwords are not stored in the clear.

Bcrypt hashing algorithm

With cost factor of 10 for password protection.

Input validation

For data integrity.

Scans

Janrain engages an industry recognized third party to perform an independent, impartial network penetration and application vulnerability test annually. Test reports are available to be viewed by Janrain Clients upon request.. The application vulnerability testing is based on OWASP, SANS, CWE and WASC standards.